Ajax: Don't auto-execute scripts unless dataType provided

PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless
`dataType: "script"` was explicitly provided; this change landed in jQuery
3.0.0. This change extends that logic same-domain scripts as well.

After this change, to request a script under a provided URL to be evaluated,
you need to provide `dataType: "script` in `jQuery.ajax` options or to use
`jQuery.getScript`.

Fixes gh-4822
Closes gh-4825
Ref gh-2432
Ref gh-2588
This commit is contained in:
Michał Gołębiowski-Owczarek 2021-01-26 15:58:29 +01:00 committed by GitHub
parent a32cf6324f
commit 025da4dd34
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 64 deletions

View File

@ -19,22 +19,13 @@ function canUseScriptTag( s ) {
( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 );
}
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
} );
// Install script dataType
// Install script dataType. Don't specify `content.script` so that an explicit
// `dataType: "script"` is required (see gh-2432, gh-4822)
jQuery.ajaxSetup( {
accepts: {
script: "text/javascript, application/javascript, " +
"application/ecmascript, application/x-ecmascript"
},
contents: {
script: /\b(?:java|ecma)script\b/
},
converters: {
"text script": function( text ) {
jQuery.globalEval( text );

View File

@ -71,24 +71,6 @@ QUnit.module( "ajax", {
};
} );
ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
function( assert ) {
return {
create: function( options ) {
options.crossDomain = true;
options.dataType = "script";
return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options );
},
success: function() {
assert.ok( true, "success" );
},
complete: function() {
assert.ok( true, "complete" );
}
};
}
);
ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5,
function( assert ) {
return {
@ -114,22 +96,34 @@ QUnit.module( "ajax", {
}
);
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
ajaxTest( "jQuery.ajax() - execute JS when dataType option is provided", 3,
function( assert ) {
return {
create: function( options ) {
options.crossDomain = true;
return jQuery.ajax( url( "mock.php?action=script&header" ), options );
options.dataType = "script";
return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options );
},
success: function() {
assert.ok( true, "success" );
},
fail: function() {
assert.ok( false, "fail" );
},
complete: function() {
assert.ok( true, "complete" );
}
};
}
);
jQuery.each( [ " - Same Domain", " - Cross Domain" ], function( crossDomain, label ) {
ajaxTest( "jQuery.ajax() - do not execute JS (gh-2432, gh-4822) " + label, 1, function( assert ) {
return {
url: url( "mock.php?action=script&header" ),
crossDomain: crossDomain,
success: function() {
assert.ok( true, "success" );
}
};
} );
} );
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
@ -1439,25 +1433,6 @@ QUnit.module( "ajax", {
};
} );
ajaxTest( "jQuery.ajax() - script by content-type", 2, function() {
return [
{
url: baseURL + "mock.php?action=script",
data: {
"header": "script"
},
success: true
},
{
url: baseURL + "mock.php?action=script",
data: {
"header": "ecma"
},
success: true
}
];
} );
ajaxTest( "jQuery.ajax() - JSON by content-type", 5, function( assert ) {
return {
url: baseURL + "mock.php?action=json",